Solved: Re: One Arm ACE Natting

helsayed78 · ‎08-08-2012

Is it possible that ACE in a one-arm mode to NAT using the same source Address ? If yes , then how?

Regards,

Hesham

jsirstin · ‎08-08-2012

Hesham,

What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.

Regards

Jim

View solution in original post

jsirstin · ‎08-08-2012

Hesham,

Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

View solution in original post

jsirstin · ‎08-09-2012

Hesham,

Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.

class-map match-all vip-1

2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

2 match virtual-address 172.16.0.17 tcp eq www

policy-map multi-match VIPs

class vip-1

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-1

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 1 vlan 511

class vip-2

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-2

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 2 vlan 511

class vip-3

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-3

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 3 vlan 511

interface vlan 511

ip address 172.16.0.130 255.255.255.0

alias 172.16.0.128 255.255.255.0

peer ip address 172.16.0.131 255.255.255.0

access-group input any

nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

no shutdown

View solution in original post

jsirstin · ‎08-08-2012

Hesham,

What source address are you refering to the original client IP that is making the request? If so this is not possible. You need to use a Nat-pool address that the ACE can own to force the server reply back to the ACE rather than sending directly back to the client.

Regards

Jim

helsayed78 · ‎08-08-2012

So that will only work in transparent mode?

Regards,

Hesham

jsirstin · ‎08-08-2012

Hesham,

Transparent mode does not change the vip address to the server ip. Nat-pools are used to change the client IP to an address the ACE owns to avoid asymetric traffic flows. Not quite sure what you are trying to accomplish. Can you give more detail?

helsayed78 · ‎08-08-2012

Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each VIP IP. because if that is not possible, then how will I restrict access to servers that are LB by Cisco ACE and these servers are behind a firewall.

Regards,

Hesham

helsayed78 · ‎08-08-2012

in other words... all requests hiting the servers will be from the NAT pool IPs !!! so if theses servers are protected by a firewall then I won't be able to have restrictions bases on source IPs ( Client IPS ).

Is there a work around to solve this issue?

Regards,

H

helsayed78 · ‎08-08-2012

Does anyone have an idea to solve this issue?

Regards,

jsirstin · ‎08-09-2012

Hesham,

With the statement "Ok, So if I have 10 VIP IPs on ACE? , can I specify the NAT IP for each VIP IP.", are you talking about using the same nat-pool address as the vip IP?

Example: If you have the class-map like this

class-map match-all L4VIPCLASS

2 match virtual-address 10.86.178.254 tcp eq www

And use the same IP in the nat-pool?

interface vlan 178

description Client Vlan

ip address 10.86.178.227 255.255.255.0

peer ip address 10.86.178.228 255.255.255.0

mac-sticky enable

access-group input ANYONE

nat-pool 56 10.86.178.254 10.86.178.254 netmask 255.255.255.255 pat

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input VIPs

service-policy input jim

no shutdown

If this is what you are talking about it is definitely possible. Even if you do not want to use the same VIP IP as the nat-pool IP you can still have one Nat-pool IP tied to just one VIP IP.

Regards

Jim

helsayed78 · ‎08-09-2012

Thanks for your reply.

That is exactly what I was asking for but what if I have several class maps with different VIPs!!. in your example you only stated one VIP using the same NAT IP for it.

How can do they same with other VIPs? please give me an example as the one you mentioned above.

Regards,

jsirstin · ‎08-09-2012

Hesham,

Here is a sample with 3 vips using the same IP and 3 nat-pools, you would use the same template for the rest of your vips.

class-map match-all vip-1

2 match virtual-address 172.16.0.15 tcp eq www

class-map match-all vip-2

2 match virtual-address 172.16.0.16 tcp eq www

class-map match-all vip-3

2 match virtual-address 172.16.0.17 tcp eq www

policy-map multi-match VIPs

class vip-1

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-1

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 1 vlan 511

class vip-2

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-2

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 2 vlan 511

class vip-3

loadbalance vip inservice

loadbalance policy WEB_L7_POLICY-3

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 3 vlan 511

interface vlan 511

ip address 172.16.0.130 255.255.255.0

alias 172.16.0.128 255.255.255.0

peer ip address 172.16.0.131 255.255.255.0

access-group input any

nat-pool 1 172.16.0.15 172.16.0.15 netmask 255.255.255.0 pat

nat-pool 2 172.16.0.16 172.16.0.16 netmask 255.255.255.0 pat

nat-pool 3 172.16.0.17 172.16.0.17 netmask 255.255.255.0 pat

no shutdown

helsayed78 · ‎08-09-2012

Thank you.

I will test it and tell you how it goes.

Do you have any documentation regarding this that can help me.

Regards,

Hesm